Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




103 posts

Master Geek


#144208 11-May-2014 14:39
Send private message

Had a query with Vodafone over my on account discount for my broadband, sent them a screenshot from the My Vodafone page showing my account.

They send back an email with Steps on how to login to the My Vodafone Portal(!!) and my username and PASSWORD IN CLEAR TEXT!!

Do you want to be like Yahoo/Xtra and compromise peoples accounts?? Because this is a good way to do it... 

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
6615 posts

Uber Geek
Inactive user


  #1041723 11-May-2014 14:51
Send private message

Was this a CSR personally sending you details or the system?

2466 posts

Uber Geek


  #1041724 11-May-2014 14:53
Send private message

Yep, vodafone store all that in plaintext :|


 
 
 
 




103 posts

Master Geek


  #1041726 11-May-2014 14:56
Send private message

Yep from a specific CSR, I have emailed them back and made it clear that I don't want them to ever send me my user name and password  . . .

4553 posts

Uber Geek

Trusted
Lifetime subscriber

  #1041727 11-May-2014 14:59
Send private message

kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.





16206 posts

Uber Geek


  #1041728 11-May-2014 14:59
Send private message

How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.

6615 posts

Uber Geek
Inactive user


  #1041729 11-May-2014 15:00
Send private message

nakedmolerat:
kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.


I would be surprised if any NZ ISP encrypted their passwords or had 2FA. Another lets stab Vodafone thread...

6615 posts

Uber Geek
Inactive user


  #1041734 11-May-2014 15:05
Send private message

mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Given PPP, Email and my account passwords are the same for the 1 username there isnt really any practical way to do anything different. Would be good if it was revised. I think you should be more worried about your POP email client. 99% more likely for that password to be stolen than one in an email.

 
 
 
 


1080 posts

Uber Geek

Trusted

  #1041738 11-May-2014 15:22
Send private message

I have had my password txt to me automatically from another major ISP in the past, emailing it is no difference.   The best thing I can suggest doing is changing your password to when you receive it in an email / txt to something that is unique so IF something were to happen, your other accounts wouldn't be compromised.

But of course that is standard password security that everyone should be doing right wink

BDFL - Memuneh
67147 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1041748 11-May-2014 16:01
Send private message

mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 





2466 posts

Uber Geek


  #1041750 11-May-2014 16:02
Send private message

Andib: I have had my password txt to me automatically from another major ISP in the past, emailing it is no difference.   The best thing I can suggest doing is changing your password to when you receive it in an email / txt to something that is unique so IF something were to happen, your other accounts wouldn't be compromised.

But of course that is standard password security that everyone should be doing right wink


Standard password security should be that passwords are stored hashed (with a strong password hash algorithm like s/bcrypt) and that you get emailed a one time token to reset your password.
Of course, in the ISP world of radius/ppoe/a, that's not really applicable.. but DSL/ppo* auth should be handled differently from web based ones.


6615 posts

Uber Geek
Inactive user


  #1041756 11-May-2014 16:13
Send private message

freitasm:
mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 



This would be the most ideal process. As mentioned before with the PPP username share the same password with email and my account due to them not being seporated. The easiest approach without expecting every customer to update their email and PPP would be to provide it in plain text. I think a process improvement is needed as we are in 2014 not 2003.

*Further more.
We are moving away from PPPOA. VDSL, UFB are port based. Hopefully we might get a new system in place for ADSL to use the same port based auth. Save a lot of time for CSR's that have customers with incorrect passwords and will make pathways for security updates.

383 posts

Ultimate Geek


  #1042762 13-May-2014 08:40
Send private message

freitasm:
mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 



Any tech savvy person would agree with this. From my experience I believe the customer complaints however would be significant. I have a hard time imagining any ISP wanting to lead this charge until general public opinion and education says this type of security as a benefit to them instead of an inconvenience imposed on them.




Please note: I have a professional bias towards Vodafone.

4553 posts

Uber Geek

Trusted
Lifetime subscriber

  #1042790 13-May-2014 09:17
Send private message

TimA:
nakedmolerat:
kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.


I would be surprised if any NZ ISP encrypted their passwords or had 2FA. Another lets stab Vodafone thread...


I have no interest in stabbing vodafone. Zilch. None.

No one should know my password except me.





232 posts

Master Geek


  #1045163 14-May-2014 22:17
Send private message

But then if an ISP e-mails you a link to reset the password that person can create any password behind your back so I don't think it matters whether they send you an e-mail thru plaintext with your password or a link to reset your password?
I don't mind either way really.
If an ISP send me a password thru to my mobile then my friend can obviously read my text messages or my girlfriend.

 So... there's no safer way either all...?

4102 posts

Uber Geek

Trusted
Lifetime subscriber

  #1045300 15-May-2014 08:33
Send private message

Salami: But then if an ISP e-mails you a link to reset the password that person can create any password behind your back so I don't think it matters whether they send you an e-mail thru plaintext with your password or a link to reset your password?
I don't mind either way really.
If an ISP send me a password thru to my mobile then my friend can obviously read my text messages or my girlfriend.

 So... there's no safer way either all...?


If someone compromises your email or mobile (or both) then your screwed either way.

However for them to be able to send you a plaintext password means they are storing it in plaintext, or an easily reversible format at their end. As kyhwana2 noted above, ideally it should be stored as a well salted hash using a decent algorithm.

If/when a hacker compromises an organisation, would you like them to have your password stored in plaintext, or in a format that will take them years to crack? We're saying it should be the latter.




 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

OPPO Find X2 Lite brings flagship features to mid-range 5G smartphone
Posted 29-May-2020 12:52


Sony introduces the digital camera ZV-1 for content creators
Posted 27-May-2020 12:47


Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29


D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22


NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14


SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00


D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53


Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48


Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56


D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51


Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01


Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35


Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53


Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06


Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.